William D. Colburn (aka Schlake) writes:
> I haven't seen an announcement anywhere, but I noticed it on the FTP
> server this morning. It is dated Friday evening.
>
> ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
>
> I tried it out with the exploit posted by "babcia padlina
> ltd. <venglin@freebsd.lublin.pl>" and it seems to be safe. I never had
> a machine that the exploit worked against, but my ntp servers would exit
> with a segfault when it was run against them. The new server does not
> exit.
FWIW, I downloaded Redhat's patched source RPM and compared the against
ntp-4.0.99k23. While this *particular* exploit appears to be fixed, there
are some other buffer overflows that are not fixed by k23 that are fixed in
the Redhat patches, in particular the use of vsnprintf instead of vsprintf.
Then again, the Redhat version may not catch all of these, either. I
didn't think to check at the time.
ftp://updates.redhat.com/7.0/en/os/SRPMS/ntp-4.0.99k-15.src.rpm
...or just grep the k23 source for vsprintf. Once you think to look, the
fixes are pretty obvious.
################################################################
# find ntp-4.0.99k23 -name \*.c | xargs grep vsprintf
./libntp/snprintf.c: rp = vsprintf(str, fmt, ap);
./libntp/snprintf.c: rval = vsprintf(str, fmt, ap);
./libntp/snprintf.c: return (strlen(vsprintf(str, fmt, ap)));
./libntp/snprintf.c: return (vsprintf(str, fmt, ap));
./libntp/msyslog.c: vsprintf(buf, nfmt, ap);
./ntpd/refclock_mx4200.c: (void)vsprintf(cp, fmt, ap);
./ntpdate/ntpdate.c:vsprintf(
./ntpdate/ntptimeset.c:int vsprintf P((char *str, const char *fmt, va_list ap));
./ntpdate/ntptimeset.c:vsprintf(
./ntptrace/ntptrace.c:vsprintf(
################################################################
FWIW, the Redhat version also syslog()s attempts to use the published
exploit. Hmmm. Perhaps a DoS is next for the "fixed" version.
:-) / 2
Hope this helps,
Chuck
> I haven't seen an announcement anywhere, but I noticed it on the FTP
> server this morning. It is dated Friday evening.
>
> ftp://ftp.udel.edu/pub/ntp/ntp4/ntp-4.0.99k23.tar.gz
>
> I tried it out with the exploit posted by "babcia padlina
> ltd. <venglin@freebsd.lublin.pl>" and it seems to be safe. I never had
> a machine that the exploit worked against, but my ntp servers would exit
> with a segfault when it was run against them. The new server does not
> exit.
FWIW, I downloaded Redhat's patched source RPM and compared the against
ntp-4.0.99k23. While this *particular* exploit appears to be fixed, there
are some other buffer overflows that are not fixed by k23 that are fixed in
the Redhat patches, in particular the use of vsnprintf instead of vsprintf.
Then again, the Redhat version may not catch all of these, either. I
didn't think to check at the time.
ftp://updates.redhat.com/7.0/en/os/SRPMS/ntp-4.0.99k-15.src.rpm
...or just grep the k23 source for vsprintf. Once you think to look, the
fixes are pretty obvious.
################################################################
# find ntp-4.0.99k23 -name \*.c | xargs grep vsprintf
./libntp/snprintf.c: rp = vsprintf(str, fmt, ap);
./libntp/snprintf.c: rval = vsprintf(str, fmt, ap);
./libntp/snprintf.c: return (strlen(vsprintf(str, fmt, ap)));
./libntp/snprintf.c: return (vsprintf(str, fmt, ap));
./libntp/msyslog.c: vsprintf(buf, nfmt, ap);
./ntpd/refclock_mx4200.c: (void)vsprintf(cp, fmt, ap);
./ntpdate/ntpdate.c:vsprintf(
./ntpdate/ntptimeset.c:int vsprintf P((char *str, const char *fmt, va_list ap));
./ntpdate/ntptimeset.c:vsprintf(
./ntptrace/ntptrace.c:vsprintf(
################################################################
FWIW, the Redhat version also syslog()s attempts to use the published
exploit. Hmmm. Perhaps a DoS is next for the "fixed" version.
:-) / 2
Hope this helps,
Chuck